Posted
by
EditorDavid
on Sunday December 04, 2016 @07:09PM
from the peeking-through-Windows dept.

jader3rd shares an article from PC World arguing that Windows 10's data collection "trades your privacy for Microsoft's security."
[Anonymized] usage data lets Microsoft beef up threat protection, says Rob Lefferts, Microsoft's director of program management for Windows Enterprise and Security. The information collected is used to improve various components in Windows Defender... For example, Windows Defender Application Guard for Microsoft Edge will put the Edge browser into a lightweight virtual machine to make it harder to break out of the browser and attack the operating system. With telemetry, Microsoft can see when infections get past Application Guard defenses and improve the security controls to reduce recurrences.

Microsoft also pulls signals from other areas of the Windows ecosystem, such as Active Directory, with information from the Windows 10 device to look for patterns that can indicate a problem like ransomware infections and other attacks. To detect those patterns, Microsoft needs access to technical data, such as what processes are consuming system resources, hardware diagnostics, and file-level information like which applications had which files open, Lefferts says. Taken together, the hardware information, application details, and device driver data can be used to identify parts of the operating system are exposed and should be isolated into virtual containers.
The article points out that unlike home users, enterprise users of Windows 10 can select a lower level of data-sharing, but argues that enterprises "need to think twice before turning off Windows telemetry to increase corporate privacy" because Windows Update won't work without information about whether previous updates succeeded or failed.

You got it. After Microsoft fired all their QA testers, the SDLC concept for Windows 10 seems to be:

* Insiders are the alpha testers, but at least they volunteered for that.

* The general public are unwitting surveillance subjects and beta testers. Microsoft will Do The Needful to your computer whether you want it done or not. These mandatory patches can make your computer stop working, blue screen, lose data, or somehow fuck up previously perfectly working peripherals at any time. You can't decline a patch even if you know in advance it's going to fuck you up!

* Only Enterprise users get the finished product and they have to pay through the teeth for that privilege. Whatever patches didn't fuck up millions of consumer PCs may eventually make their way here.

Actually, Windows 10 is less secure than any previous version of Windows, because it is almost impossible for any administrator to distinguish legitimate outbound network traffic from that of trojans and viruses. If Microsoft published a definitive list of all servers their software connects to without asking the user, explain what it does and what it transmits, and allowed you to block the traffic at will, then maybe it would be more secure. But right now, no way. It opens so many connections, it's impossible for anyone outside Microsoft to know what's really going on. (Don't forget that allegedly Microsoft-owned can also be hijacked, e.g. by direct attack on Microsoft's infrastructure or by DNS poisoning.)

What is a Microsoft talking head going to say? That Windows sucks to high heaven and that it does not spy more thoroughly into users because it can't? That would be news, for nerds or anybody else; this is not news, for nerds or anybody else.

Telemetry should be able to be switched off entirely, on all Windows installs, so that our right to privacy in respected. Many of the apps that I use include telemetry but I only use those that provide an option to disable their telemetry, even though I will allow telemetry from some trusted apps. MS have repeated demonstrated that they cannot be trusted and it is scary that the released an entire OS that is actually spyware. In any case, it means that Windows 7 will be the last version I allow to be installed on any computer I own.

If Windows update doesn't work without telemetry, that is a demonstration of MS incompetence and a very bad design decision. Linux is my main OS and it sends no telemetry for updates, while still managing to install updates. Those Linux updates also cover every piece of software I have installed in that OS, not just OS updates.

You're getting upset about the wrong thing because you apparently believe that software proprietors can be trusted. Ultimately who would tell you that a particular variant of Windows allows you switch some privacy-busting feature off? The proprietor — the very party you can't trust to tell you the truth.

Structurally no proprietor is any different in this regard: they're all untrustworthy by default no matter what they tell you a feature is for, how to disable that feature, or whether you can trust the

Telemetry should be able to be switched off entirely, on all Windows installs, so that our right to privacy in respected.

I agree; sharing of data online should be an opt-in operation rather than something that for the most part cannot be completely opted-out-of. Microsoft's EULA allows for sharing any data they collect with third-parties, and there are reports that they already have and are continuing to do so. There are those that are proponents of what Microsoft is doing, saying that it's "good" for the OS, however if any open-source operating system were to do what Microsoft is doing, it would receive a lot of criticism for sharing data without opt-in consent.

There is some relief to be had however: on Windows 10 Pro and above the Telemetry service can be disabled. The service is named "Customer User Experiences and Telemetry". Look in "Administrative Tools" in "Services" and stop + disable it. The way to verify that the service is disabled is to look at the hidden folder %Program Data%\Microsoft\Diagnostics before-and-after stopping and disabling the service; before stopping the service the encrypted files there cannot be deleted because they're "in use", after stopping the service the files can be deleted and don't return.

There are firewall rules concerning the "Customer User Experience and Telemetry" service that can be disabled too -- but (from what I've read) supposedly disabling these rules won't block the service from the Internet. i.e. similar to how some sites cannot be blocked via "hosts" file entries because Microsoft has hardcoded certain names/IPs in their DNS resolver, supposedly there are certain hardcoded bypasses to the firewall as well.

It's possible to get Windows Update working over Tor, BTW. Windows Update unfortunately only understands an HTTP proxy, not Socks5, so another proxy (such as Privoxy, which is open source) is required to forward traffic to Tor via Socks5. Windows Update follows the proxy set by 'netsh winhttp set proxy IP:PORT;exception_list' (which requires being run from an Admin command prompt). Then firewall rules to block all traffic not coming from the Tor daemon. Verification via packet sniffing or via 'Tcpview' from SysInternals. Unfortunately what I see after all that is there is still some System-level traffic that accesses the 'Net directly, i.e. bypassing the firewall, so this still doesn't seem to be 100% trustable. (Not that it could be, anyway, given that Windows is not open source.)

The safest option is to delete/rename the "Diagnostics" directory and then create an empty file called "Diagnostics". Remove system level privileges from it (only your user account has access) for good measure. Then even if an update or Windows Defender or whatever re-enables it, it won't be able to create any data to send.

The system level stuff that bypasses proxies is there to prevent viruses simply setting up a proxy to prevent Windows Defender and Windows Update working. Similarly they will ignore entri

The safest option is to delete/rename the "Diagnostics" directory and then create an empty file called "Diagnostics". Remove system level privileges from it (only your user account has access) for good measure. Then even if an update or Windows Defender or whatever re-enables it, it won't be able to create any data to send.

I like it, and I plan to implement it. Thanks for the idea.

I didn't understand the following statement:

The system level stuff that bypasses proxies is there to prevent viruses simply setting up a proxy to prevent Windows Defender and Windows Update working.

I don't understand this as-is and I've re-read this a few times trying to figure out "what you probably meant instead" and haven't been able to figure that out either. If you wouldn't mind, please respond with a tad more detail so I can try to understand better. Thanks.

If Windows update doesn't work without telemetry, that is a demonstration of MS incompetence and a very bad design decision.

How is that a bad design decision or incompetence? I think it's quite the opposite. Why should Windows Update work without telemetry? MS gets more profit by having telemetry enabled on all systems, and it doesn't benefit them at all to allow users to disable it. After all, what are disgruntled users going to do? Stop using Windows? Fat chance. MS might as well force them to keep

The reason for that I believe is that average "joe-blow" has ZERO idea of what a privacy TURD Windows 10 is.. All he sees is the -arguably- pretty UI and thats all he cares about.. Of course, when an update shits the bed, and he can't use his computer for hours/days, then THAT pisses him off. Then he calls me (or somebody like me) to come fix it.. Any time a media outlet tries to inform "joe-sixpack" about what a turd Windows 10 is, the MS trolls come out of the woodwork and pooh-pooh the issue..

Because that could be done with a fairly small number of users, no need to spy on all of them. Anyways, while I would pay money for Win10, it would have to be the LTSB-version, because spying can be fully turned off and no new "features" all the time. As at the moment there seems to be no way to get LTSB as private user or small business, I will stay on Win7 for anything that needs Windows (Office, gaming) and try to move everything else to Linux, where I at least have control over what gets sent to the distro (nothing). In the worst case I will get a gaming-only PC with Win10 (no email, no browsing, no work) in a few years, jail Office in a no-network Win7 VM and do everything else on Linux.

In the worst case I will get a gaming-only PC with Win10 (no email, no browsing, no work) in a few years

Haven't you seen the automatic updates? There was a FPS streamer who's streaming suddenly got a "windows is updating"-bluescreen during a live session.Also, I personally have been impacted in a racing (lucky it was just practice) where I would see bad connection syptoms (cars skipping on the track) and only on shutting down Windows I realized it was "my connection" that was the problem (as I got the update-installing screen).

I don't see the problem here at all. Gamers should be *happy* to have Windows force an update during one of their games.

I've been hearing for *years* from "gamers" how Windows is the One True Platform for games, and everyone needs to use Windows just because of games. So I'm quite happy to see them getting their games disrupted by Windows Update. Any of them who complain about this are hypocrites, given their steadfast support and advocacy for Microsoft and Windows.

The problem is the backported all that telemetry to 8 and 7, except you get none of the benefits that they supposedly give you on 10. Which makes me think this is just a bunch of lies to make people feel better about it.

They did. But it was (I think) an optional update. With the new model we can expect a new attempt though, if they dare. After all, implementing opt-out telemetry is a criminal act in the EU for COTS software.

One main reason for LTBS is that I could block these criminals in my firewall and not have updates all the time that invalidate the blocking and that I could download security updates that are really only security updates.

With Windows 10, you and your privacy are the product - sold down the road by Microsoft for commercial gain. Any potential that the OS might become more secure as a result of this data leaching is merely an unintended side effect.

...I have one simple demand: Guarantee that it will never be used against me. Ever. For any reason. Even if somebody holds a gun to their head (e.g. national security letter). And I get to define what "used against me" means. And if my data is ever used against me, Microsoft is strictly liable to pay me one billion dollars.

If Microsoft is absolutely certain that telemetry data will never be used against the users it was collected from, these terms won't bother them.

Stop skirting around the theme and get to the point: the fact that data collection is obligatory and there is no option to completely disable it is the problem itself. Data collection in Windows systems have always been there more or less, the problem is how it became something that cannot be disabled, which is bad specially for companies with sensitive data.

I don't care if Microsoft can post updates faster and enhance security with it, the way they figure that out is the company's own responsibility. Stuff like that cannot be pinned down as something users should be responsible for, specially for OSs that are still essencially commercial in nature.

This has always been the problem with data collection schemes, and it'll continue being regardless if Microsoft PR talks it'll improve the experience or not. It's the same crappy excuse that all companies that profit on data collection use. All of them say the exact same thing. So I couldn't care less on what Microsoft PR declares they'll do with it, it doesn't diminish the disgust in any way. Privacy has always been a matter of principle, not on what some company says it'll do after the fact.

If they want to go that route, fine, keep sending data back and making it harder and harder for clients to dial back on that shit. But don't expect users to change their views if they are not willing to back down. Windows 10 will keep having and deserving the image of being an OS that spy on it's users. And that's exactly what it does. It's extracting data from people's desktop, doing it's best to make that invisible, and taking away options to disable it.

Much like they forced the Windows 10 update down lots of people's throats using some very dirty tactics, there's no excuse for what they are doing with ads and with stealing user data. I don't care if they say it's anonymized or whatever, I don't want my desktop sending anything back, period. People who are against this trend don't want to hear your promises on what you'll do with the data, we don't care. We're going for alternative routes that are not opting for data collection. That's it.

Here in the real world, lots of people have to use software that runs only on Microsoft Windows. You seem to be saying that, if I depend, for some reason, on Windows-only software (for example, because it's absolutely necessary for my business), I am a hypocrite and there's absolutely nothing wrong with Microsoft not even using lube.

It must be nice to live on a planet where all important software has Linux versions.

That's what you get for not insisting that your software vendor make a version available for other platforms. You've willingly made yourself dependent on that one software vendor (the business application provider), instead of looking for alternatives or making your own, so now you suffer the consequences.

You know what happens if I insist that my software vendor put out a non-Windows version of their software? Absolutely nothing. You know what happens if I insist on not using Windows-only software? I render myself less employable, including missing out on some really good jobs, and that's pretty much it. You know what happens if I look for alternatives to Windows-only software? Sometimes I'll find something that works great, sometimes I'll find something half-assed, and sometimes I'll find nothing at a

There's plenty of people that live in the "real world" and make a fine living working on Linux software and not using MS-ware at all.

If you think you need to compromise that way to "make a living", that's the bargain you've chosen, and you get to suffer the consequences accordingly. Don't complain when things go badly for you, because I for one don't give a shit, and laugh at your suffering. You've chosen this path for yourself. Sure, you by yourself insisting your software vendor make a non-Windows vers

Sure, lots of people in the real world do well working on Linux or Unix machines. That's nice. There are industries that they can't work in and jobs they can't get. If the economy as it exists today is to function, there have to be a large number of people running Windows. This is beyond the ability of any individual to influence.

So, you're going to laugh at my suffering because of what numerous other people are unwilling to do? Asshole.

This is all a push to get people on the subscription model. Windows 10 Enterprise can disable it, and costs $7 a month. This is what Microsoft has been working toward for quite a while, and did it already with Office 365. If you want to continue to use Windows, they either make their money off your data, or a subscription fee. It's really that simple.

So when I offer a client confidentiality, it's supposed to be between him/her and me...Oh, and those guys over there at Microsoft. The guys who have already proved they'll roll over for any of the US letter agencies (and probably the government of Communist China among many others), and who have proved in the past to be embarrassingly incapable of "not fucking up".

Not happening.

My business computers will never, ever have Windows 10 on them. And that is one of my selling points.

I think I have to agree with "Opportunist" on this. If I was Joe Average Guy who got upgraded to Win10 and didn't know they were collecting data, that's one thing. But my job involves knowing better, and being able to deliver confidentiality when I promise it.

This means I am responsible for what my OS is doing with other people's private information. In my case, due diligence means actually reading the EULA, or having my lawyer do so. If I got hacked somehow that wouldn't be a problem, as long as I'd ta

Absolutely 100% agreed. I never put private information (mine or anybody else's) beyond my control like that. It's the height of irresponsibility, and there have been more than enough situations proving so already.

Opposite of security - more people know your stuff.I wonder how long it will be before we hear of an intern at Microsoft abusing credit card numbers and other harvested information.It is a very stupid accident waiting to happen and only seems to have been done for a bit of one-upmanship on Google with their databases of search history.

"...unlike home users, enterprise users of Windows 10 can select a lower level of data-sharing, but argues that enterprises "need to think twice before turning off Windows telemetry to increase corporate privacy" because Windows Update won't work without information about whether previous updates succeeded or failed."

Translation: Enable Telemetry, or we break your Security Kneecaps. Fuck You Very Much, and Have a Nice Day.

Kills me that this is legal when IE landed them in court for way less than this mafia licensing bullshit.

So, it's bad enough that Microsoft is forcing telemetry and updates on Home and Pro users, but if Enterprise users *don't* enable telemetry, then their updates won't function properly?

I'm guessing that the only reason they haven't been slapped with enough anti-trust lawsuits to suffocate under, is cause people are still able to stick with Windows 7 for the time being... Unless they've retroactively pulled the same crap update crap on Windows 7 like they did with telemetry?

Helping the creators and coders of the OPERATING SYSTEM you use though the use of limited anonymous data it can only help.

Until they happen upon some supposedly anonymous data that ends up connecting you personally to WrongThink. Of course, your "re-education" may be seen as a bug fix by those who decide what WrongThink is.

I use OpenDNS and have removed access to the latest list of MS telemetry servers. I use Windows 10 (sparingly) for games, and the odd application that actually does require windows. Yet I'm still able to update. Yes, it has managed to piss me off a couple times... but nowhere near the point of overhauling the box with Linux. Partially because the last time I tried to use Linux with this hardware it was even more of a pain to get to work, so I went with the path of least resistance.

I use OpenDNS and have removed access to the latest list of MS telemetry servers. I use Windows 10 (sparingly) for games, and the odd application that actually does require windows. Yet I'm still able to update. Yes, it has managed to piss me off a couple times... but nowhere near the point of overhauling the box with Linux. Partially because the last time I tried to use Linux with this hardware it was even more of a pain to get to work, so I went with the path of least resistance.

Isn't it odd that people go through gyrations in order to get W10 useable, yet any issue at all with Linux makes it a non-starter?

If you have trouble with Linux, it isn't Linux's fault. Millions of us install and use and update all the time, yet you hve conclusively proven by your singular experience that

Linux

Does

not

Work!

So what are the rest of us doing wrong that makes our Linux installs so easy?

Really.. I discount anybody who says "I tried Linux and it didn't work..." Unless you've got some seriously WEIRD hardware, any of the more popular Linux distros are gonna work great.. Especially those who gripe about Windows problems and then also gripe that Linux doesn't work.. Umm, I think it might be YOU (the complainer) that is the problem vs Linux...

Really.. I discount anybody who says "I tried Linux and it didn't work..." Unless you've got some seriously WEIRD hardware, any of the more popular Linux distros are gonna work great.. Especially those who gripe about Windows problems and then also gripe that Linux doesn't work.. Umm, I think it might be YOU (the complainer) that is the problem vs Linux...

We get this same thing with an SDR Radio that I own. In our community group, People come in breathing fire, wondering why they bought such a piece of shit radio from a bunch of crooks and us assholes who help them support the crap, and 99 times out of 100, its pilot error.

And I've had to as gently as I could on a number of occasions, let them know that if everyone else has a working setup, the problem is probably on their end.

Go reply to all the countless Linux forum support threads telling them that they idiots and Linux just works. LOL.

Well, first off, I seldom call people idiots. But having helped a lot of people, the problems are generally either from trying to impose Windows on Linux, especially at install.

Why I've used the forums myself on occasion. That isn't even at issue because there are help forums for everything. That's how we find bugs, that's how we learn details.Few of us were born knowing how to do this stuff. But if you cannot produce aworking Linux install from a Live distro, it's probably because you didn't follow the

The same can be said about each other, but your lack of seeing that makes you a tool.

Same thing makes you rather limited, but hey, thanks for letting me know I'm annoying, because I was only half trying so far. when I'm hitting on all cylinders, I make Torvalds look like Mother Theresa, and that's just how I like it. Ciao, my chachalaca.

If I have to give up my privacy, I want a computer that always works. Otherwise, it's security through inoperation.

Lol, not a bad idea. Like nazis used to turn off electricity in whole blocks to see if the resistance transmitter stops working. Screw up updates to half of computers, see if what you want to stop has stopped. Divide, conquer:) In a few decades of failing updates you will know who is doing it, totally worth it right?

MS: "Gosh we feel awful about it, but this is gonna hurt you a lot worse than it hurts us."

MS: "Gosh we feel awful about it, but this is gonna hurt you a lot worse than it hurts us."

Strat

Except it doesn't hurt a bit.

There is only one program that I used that I need Windows for, and that has been replaced recently by an OSX version, so I ditched 10, keeping a dual boot OSX/W7 setup in case I something came up I needed Windows for. But that's just me. If someone has to have Windows, they have my sympathy. My present "Windows experience" consists almost totally of repairing other people's update damage.

Since windows doesn't have many of the programs I need like Final Cut, and it's integr

heh.. I like your comment "My present "Windows experience" consists almost totally of repaiing other people's update damage".. Thats me also.. I supported/used Windows for 20 years as a sysadmin, but when I retired in 2010, I decided I was done with using it on my personal systems. At the time I dualbooted Linux and Win7, and it was a piece of cake, and quite cathartic to fire up gparted and delete the Win7 partition.. Just for drill, I do keep a Win7 virtualbox vm, but I don't recall the last time I fired

heh.. I like your comment "My present "Windows experience" consists almost totally of repaiing other people's update damage".. Thats me also.. I supported/used Windows for 20 years as a sysadmin, but when I retired in 2010, I decided I was done with using it on my personal systems. At the time I dualbooted Linux and Win7, and it was a piece of cake, and quite cathartic to fire up gparted and delete the Win7 partition.. Just for drill, I do keep a Win7 virtualbox vm, but I don't recall the last time I fired it up.. From the sound of the updates situation, and MS putting all updates into a big blob, so its impossible to see whats needed AND whats NOT, I guess I may as well just delete the VM also.. Of the friends/neighbors/family that I haven't been able to migrate over Linux, that is my only connection with any MS products any longer.. As far as I'm concerned, MS can FOAD....

My Windows support days were pretty strange, since technically I wan't even a computer person. But a large part of the job was being the guy at the meeting who was there to make certain that shit worked. A lot of the official IT guys hated me because they had to listen to an outsider like me. The smart ones knew I was saving their asses. But the suits had a wide range of programs that needed to run, and the regular IT people tended to piss themselves when the suits told them they needed something fixed ASAP

Dunno WHY I'm replying to an AC, but here goes.. Theres a lot of us (and MORE of us, as MS keeps on with their shitshow) that actually READ that EULA, and in fact, I have a close friend who is an attorney, who I asked to read it and give me his take on it, from a legal point of view, and I can sum up his comments in a VERY short manner... "RUN... RUN AWAY FAST..." Fortuantly, for myself, I gave up any use of MS products when I retired in 2010. Prior to that, I spent 20 years supporting/using MS products. I

Never before has "those that give up freedom for security deserve neither" has been truer, and more blatantly obvious. We gave up our privacy and what did we get in return? An OS where every update has become a gamble whether it's going to boot up after again or whether we have a brick now. An OS that is STILL every bit as insecure as every predecessor.

No, just no! If a company puts lead in their products, you are not just saying that you should stop buying them. And if the law does not forbid the sales of lead in the consumer products, you do not say 'oh well'. You change the law.

So if they are allowed to do this and it is wrong, you need to change the law to handle that wrong, so it becomes forbidden.

Now if they would at least make it opt-out by default, they could offer some incentive for people to opt-in, then there should

Even IF MS *did* make it opt-in, why in God's name would you trust them to abide by your choices? And sure, MS and their surrogates tell you to turn off, with those cutesy little toggle switches and use a local account, if their datamining bothers you, privacy-wise.. Hmm.. And you *trust* MS to actually turn OFF these things because you didn't take the "recommended"/default install?? Oh boy.. Dunno about you, but I trust MS about as far as I can throw them..

I would not be wanting to give my details either, but if others want to do so willingly, that is up to them, not to me.There are people who give their details to stores they shop at in real life all the time, just so they can get a reduction or whatever. I don't have that and I don't want that.

I decided to see for myself if by taking a NON-default install of 10 would stop or at LEAST reduce the outbound traffic to the -listed in many places- MS sites.. I took a neighbors default installed laptop of 10Pro and a NON-default installed laptop of 10Pro (all privacy-switches OFF, local machine account) and loaded a remote packet capture tool on the firewall of my home network, where EVERYthing else on the network was either Android or Linux.. I put each machine individ

No... Windows 10 is "free"... as in, we won't charge you $$$ for it, but we're gonna collect and save EVERYthing you do on the computer and sell it to the highest bidder AND government... Whereas, Linux is free (as in no quotes).... BIG difference, big enough to drive a bus thru.....

Not with mysterious government cameras appearing on utility poles, "Stingray" type cell-site MITM units used by local PDs, even being near others with cellphones/tablets/etc, ALPR systems, biometric ID matching, NSA/TLA/Five-Eyes data-slurping anything they can, etc etc etc.

The ways in which individuals can be and are tracked if/when authorities wish makes an amazingly-long list.

Not saying you should accept this crap from MS, just the opposite. Just pointing